The Cyberman Show

The Cybersecurity Report that Everyone Ignored

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 15:57

Send us Fan Mail

In November 2025, Anthropic — an AI  company, not a cybersecurity vendor — published a threat intelligence report documenting the first confirmed AI-orchestrated cyber espionage campaign. A Chinese state-sponsored group (GTG-1002) jailbroke Claude AI into an autonomous hacking agent that attacked ~30 organizations, handling 80–90% of tactical operations independently. The report got a week of press coverage and everyone moved on. But this episode argues it's the most important cybersecurity report of the decade — and that every major frontier AI lab will publish something similar.

Support the show

Google Drive link for Podcast content:
https://drive.google.com/drive/folders/10vmcQ-oqqFDPojywrfYousPcqhvisnko

My Profile on LinkedIn: https://www.linkedin.com/in/prashantmishra11/
Youtube Channnel : https://www.youtube.com/@TheCybermanShow 
Twitter handle https://twitter.com/prashant_cyber


PS: The views are my own and dont reflect any views from my employer.

Introduction

Speaker

Hey everyone, welcome to the cyberman Man Show. Now I've been in Cyber for 20 years plus, and I've been doing this podcast for a few years now, but then I took some break and um I wasn't uh focusing on building content, I was busy in some uh work uh for the job uh that I have, and uh I've by the way, I've seen uh a lot of trends. I when I started my career, you know, cybersecurity as a term didn't term didn't exist. I've uh seen viruses, worms, malware, ransomware, apt, states, whatever state-sponsored attack, and I've seen this industry evolve, I've seen technologies that didn't exist uh come to life, right? So I've been there for some time. Now, the report that I'm gonna talk about today changes everything that we've been doing for decades. So I'm gonna break down this most important cybersecurity report that came out last in uh last year, and uh what I can also tell you is that something similar is gonna be published by a lot of other companies in the AI space. By the way, if you've been uh there before on my podcast, my YouTube channel, uh thank you so much. I've missed you. Uh, with that, let's get started. So, the report that I'm gonna talk about today is the uh Anthropic AI espionage report that came in November 2025. Now, I've read this report in November, then I read it again in December, read it in February, and uh you know, I'm still reading it again. And the reason I'm doing this repeated reading is because I although I on one side I believe that all this is possible, but uh in whatever experience I have, I still can't believe it. I'd find all this as science fiction. Okay, so let's look at this report. Now, this report came, not many people spoke about it, but this is unprecedented. Okay, why this is unprecedented? It is published by a Frontier AI uh lab, Anthropic. Okay, it's not a cybersecurity company, it's not Palo Alto, Mandient, CrowdStrike, whatever name you can think of, not the companies who are focused on finding threat intelligence and malicious campaigns. Uh, in this report, uh these threat actors were able to use AI, Claude in this case, as a weapon. So they had to investigate their own tool, Enthropic, used AI to investigate AI. It's also the first documented case of a gentic AI successfully hacking high-value custom targets. Uh, also, it's an escalation from the earlier vibe hacking report that came uh in June 2025. And what Enthropic also believes is that this is a common pattern that they uh I'm sure other uh frontier AI models are also tracking, not just Enthropic. Now, let's go about this campaign uh that Enthropic has mentioned. So, the first uh thing in this campaign is the threat actor, uh, codenamed GTG1002. Uh, they are a Chinese state sponsored group. Uh, the attribution is highly uh conf confidence, uh and uh this was detected in mid-September 2025. They are well resourced, professionally coordinated, they attacked 30 entities across multiple sectors, so AI attacked 30 entities, and uh, some of these intrusions were uh confirmed successfully, and uh targets included major tech corporations, financial institutes, chemical manufacturers, government agencies, etc. Now, how this thing works is the threat actors use Claude Cores and MCP to trick Claude to orchestrate the entire attack. So they built an autonomous attack framework around Claude, and the key trick was they played the role of employees uh working for a legitimate cybersecurity firm doing defensive testing, they fooled AI, the social engineered AI, and that is one thing that I don't believe I would have said uh or anybody would have imagined uh humans fooled AI or social engineered AI. Okay, and uh they broke the entire complex task into small innocent looking tasks, each individual rookus appeared harmless, but together it formed a full espionage campaign, and uh AI executed individual attack chain components without access to broader malicious context. Now, this is the first recorded in history of uh social engineering and AI model. Uh so that's why I thought it's important to uh do a coverage on this. Now let's talk about the attack infrastructure. So, as you can imagine, uh more details are there in the entropic report. I highly recommend you to go through it. But there are three categories or three layers in this. One is, of course, the orchestration layer managed by Claude, and then the MCB tool called layer, and then the uh targets with that included applications, databases, internal networks, cloud and for appliances, whatever came from those uh companies that were under attack. Okay, and on this uh entire operation, Claude worked as an execution layer inside a larger system. Uh, the orchestration logic was maintained, uh, the orchestration logic itself maintained the attack state across session, which came as a surprise to me because uh session management uh or the context uh management is not an easy thing, uh, or it wasn't as easy at as it is now in 2026 versus when this was detected, let's say September, October 2025. Of course, it's gonna get better. Uh so what that means is Threadactor was highly proficient in cloud. Uh, also, they use multiple specialized MCP servers uh for tools that they executed. Uh, they executed remote commands, they use browser automation for web application reconnaissance, they use code analysis for security assessment, they uh use testing frameworks for vulnerability validation, they use callback communication, they use open source tools, not custom malfare. And they also use uh callback services to validate exploits. Now, this is the high-level summary of how the attack worked, right? But if you have to double-click on this, there were six phases of this attack. Phase one was all about campaign initialization and target selection, phase two recon plus attack surface mapping, phase three was vulnerability discovery and validation, phase four was credential harvesting and little movement, phase five was data collection and intelligence extraction, and phase six was documentation and handoff for human operators. Okay, let's take a look further into each of these phases. So, in the phase one, human operator gave the target, AI did the recall. So human decided the direction they is gonna execute in, and then AI worked. In the second phase of recon, uh Claude conducted multiple uh uh autonomous recons using MCP, then they catal it catalog infrastructure, analyzed authentication mechanism, identified vulnerabilities, uh, ran uh uh this simultaneously across multiple targets with separate operational context, mapped complete network topology, discovered internal services across IP edges, and then cataloged uh hundreds of discovered services and exploits. As it moved to phase three, Claude independently generated attack payloads, tailored to discovered vulnerabilities, executed testing through remote command interfaces, validated uh exploits via callback mechanism, right? The way that typically a penetration tester or a uh person moves. In uh phase four, uh Claude did uh systematic credential collection, queried internal services, extracting authentication services, certificates, and then testing harvested credentials. It independently determined which credentials gave access to which services, map privilege levels, and access boundaries without human direction. It then did lateral movement, tested authentication against internal APIs, databases, container registries, and logging infrastructure, and eventually it built a comprehensive map of this network uh internal network architecture. Phase 5 where data was collected, intelligence was extracted. Uh, this was again done by Claude autonomously most of the times. Uh, example in the nine-step database extraction uh operation that Claude did in around two to between two to six hours, human only reviewed findings at the end. Most autonomous phase was this. Okay. Uh Claude processed large volumes of data identifying valuable intelligence automatically, and in the last phase, it documented everything on its own. Uh, it created structured markdown files that had discovered services, harvested credentials, extracted data, exploitation techniques, complete attack progression that allowed enabled uh that allowed seamless handoff between operators. Okay, evidence suggests uh handoff uh to uh additional teams for sustained operations. Okay, now the interesting thing that uh happens in this is uh the numbers, right? So if you look at the numbers in this report, is uh there were 30 entities that were targeted, 80 to 90 percent of the tactical work was done by AI independently, 10 to 20 percent work was done by humans, and that too only for strategic discussions. Uh thousands of requests uh were created. Um AI worked autonomously for hours, AI humans worked only for minutes, that just blew me away. Okay, uh typically, when you're vibe coding, you are constantly telling AI, but the moment agent AI kicks in, it puts everything together. So, orchestration is a very important piece here, and that's the skill we all have to develop. Um, now example in phase three, AI worked one to four uh hours, humans uh reviewed only for two to ten minutes. In phase five, for example, AI worked two to six hours, human review only for five to twenty minutes. Now, the report also mentions uh AI's limitations, so mostly around hallucination where where it identified critical discoveries that were actually public information, and I'm sure this is gonna get better, these uh things improve with time. Uh so I'm not gonna go deeper into that. Please go through the report to understand uh specific call-outs in there. But for me, some of the interesting things were one, they used open source tools, not custom malware. Okay, also because of the nature of the way uh these AI platforms works. Anybody which includes lex experience, lexic resource groups can now perform nation-level nation and state level attacks. We won't need to be elite hackers. Uh now the new capabilities will be orchestration of commodity resources, not technical innovation. So AI changes everything for us, it changes everything for threat actors. Now, what Anthropic did is typically investigation, they banned accounts, notified entities, they used uh Claude to analyze the attack data, AI investigating AI, and uh they are improving their cyber uh focus classifiers, of course, so that this thing doesn't happen again. But you're only talk talking about one lab, right? There are uh multiple known and multiple unknown labs that exist worldwide with various countries, and geopolitics always will all play a role in this. Now, while this is all fascinating stuff, what are the um implications, right? Now, one cybersecurity teams have to const start using AI now for defense. Um AI can only beat AI. Okay, um, that's the key thing. Of course, we have to, as an industry, uh, share more threat intelligence, improve detection methods, have better safety controls, etc. Okay, but remember these techniques that were mentioned in this report will proliferate across the threat landscape. Uh now, why I'm uh excited or curious or uh about this report is it came out from a non-cybersecurity company, and I'm sure every other frontier model company has the same capabilities. Uh but are they sharing all the attacks that they're seeing? I've not seen uh much except one thing that came from Google maybe last year, where they mentioned uh state actors from four countries were using Gemini for offensive operations. So it is there. The other thing uh it is that the detection technologies have to evolve to handle the AI speed or adversaries that are using uh AI for uh such kind of operations. The SIM that is typically used in security operations for uh monitoring and finding attacks were designed for human speed, they were not designed for handling thousands and of autonomous requests per second. And uh of course, I strongly believe that this is the working attack. Why? Because it's gonna get better with time. I'm sure the models have evolved. I I've used those models, so we will constantly see reports. I'm predicting it right now. It's a very easy prediction to do. Every few months we will hear about an attack where AI did everything on its own that led to something, right? With more builders creating software, I'm sure there will be more builders creating malicious campaigns, like they always do, right? So that's why I highly recommend you to go through this report, start learning about agent TKI orchestration, building software, securing software, right? And uh always learn, keep learning, right? That's my recommendation. With that, thank you so much for your time. I'm gonna keep more create keep creating more content. Uh I'm back to uh regular routines, so hopefully, we you will see more content coming from my end. Uh drop your comments, like, uh share if you really like this, and uh give feedback. Uh, thank you so much. I'll see you next time.